Microsoft February Patch Tuesday Fixes 50 Security Issues

Microsoft released the February 2018 Patch Tuesday security updates, and this month’s release comes with fixes for 50 vulnerabilities, along with additional patches for the Meltdown and Spectre vulnerabilities (ADV180002).

There are no Windows zero-days in this month’s Patch Tuesday, but Microsoft has included patches for an Adobe Flash Player zero-day that came to light at the start of the month.

The Flash zero-day patches are bundled in ADV180004, which Microsoft silently pushed to users’ PCs last week, on February 6, but which have also been included in the company’s monthly security rollup.

As for Microsoft products, the company says this month’s Patch Tuesday contains fixes for the Windows OS, Microsoft Office and Microsoft Office Services and Web Apps, Internet Explorer, Microsoft Edge, and the ChakraCore JavaScript engine.

Patch Includes Windows Kernel Fixes

The vast majority of this month’s fixes are Elevation of Privilege (EoP) vulnerabilities that will allow attackers with a foothold on the machine to gain SYSTEM-level privileges.

In addition, Microsoft also patched 11 bugs affecting the Windows kernel. Even if these are information disclosure and elevation of privilege issues, these bugs should not be taken lightly, as Microsoft expects threat actors to abuse these vulnerabilities in the future, most of them receiving an assessment of “Exploitation More Likely.”

But there is also some good news. Even if details about a Microsoft Edge Same-Origin Policy (SOP) bypass technique (CVE-2018-0771) became public, the vulnerability was not exploited in the wild before Microsoft delivered a patch earlier today.

Below is a table listing of all the security issues Microsoft fixed this month. We used PowerShell and the Microsoft API to assemble the table below, but the report is much longer. We hosted the full report on GitHub, here.

If you’re not interested in all security updates and you’d like to filter updates per product, you can use Microsoft’s official Security Update Guide portal, accessible here.